Jump to content

Microsoft expiring SHA-1 updates; Will this kill XP?


sunryze

Recommended Posts

Okay, it's intersting, that using the old Netscape 9 (with the modern TLS fixes) behaves differently online than New Moon 28. They choose different encryption algorithms to visit HTTPS sites. All the sites that don't operate on the "next-week" XP with expired SHA-1 certificates can we accessed with Netscape (they don't look that good of course). My Windows 98 machine that uses Retrozilla and Netscape seems to be unaffected, too.

Would someone be so kind and send me over the crypt32.dll from his Windows XP 32-bit system? I'd like to see, if a whole update can be avoided.

Link to comment
Share on other sites


19 minutes ago, Gansangriff said:

Oh no! Bad news: There are SHA-1 troubles indeed! By accident, I only tested HTTPS sites that still work here, like "msfn.org" and my search engine "swisscows.com". However "startpage.com" and "duckduckgo.com" are broken, so are probably 60% of the HTTPS sites.

This machine is an non-updated Windows XP SP2 with crypt32.dll of 2004, version 5.131.2600.2180. More investigation regarding that will follow...

@Tripredacus Good, that you've written this! I wouldn't have given it another test!

I had this nagging feeling that there was more to the story of SHA-1 troubles than just not being able to use Windows Update anymore, but given how little I understand of how all this works, I didn't think my concerns would be taken seriously.

On 4/28/2021 at 11:12 AM, NicePics13 said:

If you're not using any networked or new Microsoft software does it even matter? :dubbio:

Third party developers can still sign their applications with SHA-1 and implement their own SHA-2 support if needed, no?

This is part of why I had nagging concerns. Consider: how many developers go out of their way to support XP for any length of time once dev kits stop providing support by default? Most would just consider it not worth the trouble, I presume. Only in enthusiast circles would you actually see people taking care to make sure XP users can still run applications that might be affected.

Also, there's that whole code signing aspect.

This is all why I don't think it's a good idea to dismiss this as "paranoia mongering." It's why I actually spent time looking into this and seeing if XP ever did get SHA-2 support, and how to get it if so.

Link to comment
Share on other sites

4 hours ago, DrWho3000 said:

my version is 5.131.2600.6459

shall i still install kb update hotfix for sha-2

if the kb isnt in M$ catalog where do i get it

last kb updates i did was for the ransomeware emergency update

There's no point in doing it as it will apparently install but not actually do anything as the crypt32.dll file in the hotfix is older than the one already on the system, at least that was my experience.
If you have 5.131.2600.6459 as I have, that is the latest (and presumably last) version for XP.
:)

Link to comment
Share on other sites

7 hours ago, Gansangriff said:

Would someone be so kind and send me over the crypt32.dll from his Windows XP 32-bit system? I'd like to see, if a whole update can be avoided.

Gladly - how would you prefer I get the 592 KB dll to you? Its too large to upload here.

https://uploadify.net/50587da2b387d8f4/crypt32.dll

Or:

https://files.fm/u/b73snhzx3

Edited by XPerceniol
Link to comment
Share on other sites

On 4/28/2021 at 10:35 AM, Dave-H said:

I didn't appear to have KB968730 installed on my machine, so I downloaded it and installed it.
It appeared to install OK, and its registry entries are now there, but a system file check didn't reveal any changed files.

It should change CRYPT32.DLL.

The version in the hotfix is 5.131.2600.5779.
When I checked I found that I already have version 5.131.2600.6459, which is presumably why the hotfix didn't do anything!

Where would that later version have come from though, would it have been a POSReady update?
:dubbio:

aahhh shoot!

v5.131.2600.6459 of the crypt32.dll file is included in the KB2868626 (MS13-095) security update for XP which renders the KB968730 hotfix worthless (a bit late in realizing this, Dave).

also reading this from MS technet forums:

Quote

I've recently come across this issue and also unable to locate the above KB's.  These KB's were not however on any of the other S2k3 Terminal Servers we had in production, so kept looking elsewhere.  I found one article referencing a KB2868626 that was specified as to allow generating SHA256 certificates on s2k3.

https://serverfault.com/questions/670600/windows-server-2003-r2-iis6-sha-256-ssl-certificates

I have installed this, and found this has allowed me now to access sites with SHA256 certificates.

https://support.microsoft.com/en-us/help/2868626/ms13-095-vulnerability-in-xml-digital-signatures-could-allow-denial-of

 

edit: a slightly older crypt32.dll file for XP is also included in the KB2808679 update (also makes KB968730 hotfix useless), which prevents internal URL port scanning (to me this feels like a security fix even though it isn't classified as such) - I have both KB2808679 & KB2868626 updates installed on a friend's old eMachines PC running XP MCE 2005 + SP3.

Edited by erpdude8
Link to comment
Share on other sites

As it turns out..

I do have (both) KB2808679 & KB2868626, but I don't have KB968730 installed; so I guess I won't bother then.

I was a bit surprised to find/discover them under:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP4 ?

Honestly, I may have (indeed) installed that (unofficial) sp4 at some point - sadly ( I fully admit ) its not just my computer memory suffering here. **cry**

Truthfully ... I think come May 9th, I'll just hide in bed and pull the covers up over my head with my teddy bear :D

Edited by XPerceniol
Link to comment
Share on other sites

I have quite a few updates which claim in the registry to be from "SP4" too, and have had for years.
I suspect it refers to a notional Service Pack 4 for Windows XP which was mooted by Microsoft at one time but never actually issued.
:)

Link to comment
Share on other sites

Thank you; Dave, for confirming that - this has been a good learning lesson for me; I will say that much. I was surprised that I was even lacking those 6 updates (another story), as my system is posready, so I should be as up-to-date as can be ... but hopefully (together) we'll figure this out.

Link to comment
Share on other sites

Just replacing crypt32.dll with a newer one didn't change the situation, however what did a noticeable change, was a certain setting in New Moon called "Use OSCP to confirm the current validity of certificates". So now I deactivated the checking of the HTTPS certificate it seems. The error message "SEC_ERROR_OSCP_OLD_RESPONSE" gave me a wink to that. The browser got confused in the process of connecting to the OSCP (holding the certificates), trying to do something with SHA1. Maybe checking the cerfificate? It's not the TLS encryption, SHA is a hash function. I've just learned about this in this video: https://yewtu.be/watch?v=GI790E1JMgw

OSCP1.PNG.33ed90af7a5b404b14ba230e54796a89.PNG

 

Oscp2.png.0942d20f3ce88a46d2078f7ff69e0eca.png

Some more notes on testing: While I was browsing today on the "next-week" Windows XP machine, none of the HTTPS sites did work, not even msfn.org, swisscows.com and wiby.me. So that changed compared to yesterday. Unchecking the option I described above however made browsing possible again. Still, SHA1 is not repaired... I'd be interested to see someone with an updated Windows XP try to time-travel too (setting the time two weeks to the front), as I am still running SP2 on two XP-computers here. This emergency situation can be simulated! I can confirm, that the time can be set back and SHA1 is recognised again.

The question is of course, if other things break, that rely on SHA1... because what I've described is only an evasion for web browsing with New Moon... watch out for your local power plants!

Link to comment
Share on other sites

I haven't yet applied the Server 2003 SHA-2 update on my rig, so I just tested this as well, setting the date to May 10 at 1:25 AM. On New Moon and Firefox ESR, I get "SEC_ERROR_OSCP_OLD_RESPONSE" on some HTTPS sites but not others. The same sites are still accessible on Advanced Chrome and Chrome 49, however.

I tried to see if anything changed if I set the date to May 17, but the same sites would still break on the same browsers, while the other sites that did not break remained unbroken.

That's very peculiar.

Edited by TrevMUN
Link to comment
Share on other sites

49 minutes ago, Gansangriff said:

Just replacing crypt32.dll with a newer one didn't change the situation, however what did a noticeable change, was a certain setting in New Moon called "Use OSCP to confirm the current validity of certificates". So now I deactivated the checking of the HTTPS certificate it seems. The error message "SEC_ERROR_OSCP_OLD_RESPONSE" gave me a wink to that. The browser got confused in the process of connecting to the OSCP (holding the certificates), trying to do something with SHA1. Maybe checking the cerfificate? It's not the TLS encryption, SHA is a hash function. I've just learned about this in this video: https://yewtu.be/watch?v=GI790E1JMgw

OSCP1.PNG.33ed90af7a5b404b14ba230e54796a89.PNG

 

Oscp2.png.0942d20f3ce88a46d2078f7ff69e0eca.png

Some more notes on testing: While I was browsing today on the "next-week" Windows XP machine, none of the HTTPS sites did work, not even msfn.org, swisscows.com and wiby.me. So that changed compared to yesterday. Unchecking the option I described above however made browsing possible again. Still, SHA1 is not repaired... I'd be interested to see someone with an updated Windows XP try to time-travel too (setting the time two weeks to the front), as I am still running SP2 on two XP-computers here. This emergency situation can be simulated! I can confirm, that the time can be set back and SHA1 is recognised again.

The question is of course, if other things break, that rely on SHA1... because what I've described is only an evasion for web browsing with New Moon... watch out for your local power plants!

My XP is up to date.
Updated certificates
No problem in the website you indicate:

100.jpg

Link to comment
Share on other sites

4 hours ago, TrevMUN said:

I haven't yet applied the Server 2003 SHA-2 update on my rig...

I've been searching around the forum(s) and can't locate this update - would you kindly point me in the direction of where to obtain it? Thank you, and I find this strange the Chrome browsers worked when FF browsers didn't, because I was under the impression that our maintainer for (both) New Moon and Serpent used certificates that weren't reliant upon the OS. I've not (yet) 'time traveled' my machine and do you think that Server 2003 SHA-2 update help us out with this situation; anyway?

EDIT: Been searching around the web and most links are dead, so I'm looking at this.

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/sha2-and-windows/ba-p/1128617

Edited by XPerceniol
Link to comment
Share on other sites

I am not a TLS expert, but it is my understanding that basically nothing is going to happen when this certificate expires. This cert is what microsoft signs stuff with (for example, new updates, drivers...). There aren't any new updates being made for any SHA-1 system anyway.
The reason you canot connect to HTTPS sites when you change the date is because you are changing the date, not any significance pertaining to what that date is.

 

Firefox-based browsers do not rely on windows for encryption anyway. Chrome (at least on XP) partially does. but even for chrome and IE, nothing is going to change.

Edited by i430VX
Link to comment
Share on other sites

On 5/1/2021 at 9:10 AM, Gansangriff said:

Okay, it's intersting, that using the old Netscape 9 (with the modern TLS fixes) behaves differently online than New Moon 28. They choose different encryption algorithms to visit HTTPS sites. All the sites that don't operate on the "next-week" XP with expired SHA-1 certificates can we accessed with Netscape (they don't look that good of course). My Windows 98 machine that uses Retrozilla and Netscape seems to be unaffected, too.

Would someone be so kind and send me over the crypt32.dll from his Windows XP 32-bit system? I'd like to see, if a whole update can be avoided.

Though I DO really like that you avoid updates at all costs ( that's our man , please go on ! ) , I think your current connection problems are due to the time mismatch between you and the server , hence the error . For the future , just buy a cheap notebook with win 7/8/10 , let it update the certificates and simply export the registry entries , or use someone elses' , someone you don't care about , lol . 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...